Legal documents released As part of the ongoing litigation between WhatsApp Meta and NSO Group, it was discovered that the Israeli spyware maker used several exploits targeting the messaging app to deliver Pegasus, including one even after Meta sued for it.
They also show that NSO Group repeatedly found ways to install an invasive tracking tool on targeted devices as WhatsApp built new defenses to counter the threat.
In May 2019, WhatsApp said it had blocked a sophisticated cyberattack that used its video calling system to secretly deliver the Pegasus malware. The attack exploited a zero-day flaw that was tracked as CVE-2019-3568 (CVSS Score: 9.8), a critical buffer overflow bug in the voice call function.
The documents now reveal that NSO Group “developed another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.” The attack vector – a zero-click exploit that can compromise a victim’s phone without any interaction with the victim – was neutralized sometime after May 2020, suggesting it was being used even after WhatsApp sued against him in October 2019.
Erised is believed to be one of many such malware vectors – collectively known as Hummingbird – that the NSO group developed to install Pegasus using WhatsApp as a conduit, including those tracked as Heaven and Eden, the latter of which ‘ is the codename for CVE -2019-3568 and was used to target around 1,400 devices.
“(NSO Group) has admitted that they developed these exploits by extracting and decompiling WhatsApp code, reengineering WhatsApp and developing and using their own ‘WhatsApp Installation Server’ (or ‘WIS’) to send malicious messages (which is a legitimate WhatsApp client not could send) through WhatsApp’s servers and thereby cause target devices to install the Pegasus spyware agent — all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service,” the unsealed court documents state.
Specifically, Heaven used manipulated messages to force WhatsApp’s signaling servers – which are used to authenticate the client (i.e. the installed app) – to direct target devices to a third-party relay server controlled by NSO Group.
Server-side security updates made by WhatsApp towards the end of 2018 are said to have prompted the company to develop a new exploit called Eden by February 2019, which ditched NSO Group’s own relay server in favor of WhatsApp-operated relays.
“NSO declined to say whether it developed further WhatsApp-based malware vectors after May 10, 2020,” one of the documents said. “NSO also acknowledges that malware vectors were used to successfully install Pegasus on ‘between hundreds and tens of thousands’ of devices.”
In addition, the documents offer a behind-the-scenes look at how Pegasus is installed on a target device using WhatsApp and how NSO Group, not the customer, runs the spyware, contradicting previous claims by the Israeli company.
“The role of NSO customers is minimal,” the documents state. “The customer only had to enter the target device number and ‘click Install’ and Pegasus would remotely install the agent on the device without any involvement.” In other words, the customer simply places an order for the target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its Pegasus architecture.”
NSO Group has repeatedly claimed that its product is designed to fight serious crime and terrorism. It also insisted that its customers are responsible for managing the system and have access to the information it collects.
Back in September 2024, Apple filed a petition to “voluntarily” dismiss its lawsuit against NSO Group, citing a changing risk landscape that could lead to the exposure of critical “threat intelligence” information and that it “has the potential to compromise vital security information.”
In the intervening years, the iPhone maker steadily added new security features that made mercenary spying attacks more difficult. It was introduced two years ago Lock mode as a way to strengthen the protection of the device by reducing the functionality of various programs such as FaceTime and Messages, as well as locking configuration profiles.
Earlier this week, there were reports of a new security mechanism in iOS 18.2 beta versions automatically reboots phone if it is not unlocked within 72 hours, requiring users, including law enforcement agencies that may have access to suspects’ phones, to re-enter the password to access the device.
Magnet Forensics, which offers a data mining tool called GrayKey, confirmed a “reboot on inactivity” feature, which states that the trigger is “tied to the device’s locked state” and that “once the device enters the locked state and hasn’t been unlocked for 72 hours, it will reboot.”
“Due to the new idle reboot timer, it’s now more important than ever that devices acquire an image as quickly as possible to ensure the most available data is captured,” it added.
